120 likes | 322 Views
Access Control Lists. Written by Bill Reed 03/11/05. Access Control Lists. During this presentation we will: Discuss the usage for ACLs in our networks Look at the syntax of the ACL commands Examine the application of our ACLs Explore the mechanisms behind the wild card mask
E N D
Access Control Lists Written by Bill Reed 03/11/05
Access Control Lists • During this presentation we will: • Discuss the usage for ACLs in our networks • Look at the syntax of the ACL commands • Examine the application of our ACLs • Explore the mechanisms behind the wild card mask • Test our understanding with some exercises Written by Bill Reed 03/11/05
Access Control Lists ACL usage • ACLs are used to regulate traffic that can traverse our networks • This can be for security reasons such as limiting access to restricted network segments and the systems within them • ACLs can also be used to filter routing protocol updates on segments where they are unnecessary or undesirable Written by Bill Reed 03/11/05
Access Control Lists ACL command syntax Access-list 101 <condition> <protocol> <Source IP> <source WCM> <dest IP> <dest WCM> <port or service> Condition = permit or deny Protocol = IP, ICMP, TCP, UDP Source IP & WCM = 192.168.0.55 0.0.0.255 Dest IP & WCM = 100.50.50.50 0.255.255.255 Port / Service = 80 or HTTP, 21 or FTP Written by Bill Reed 03/11/05
Access Control Lists ACL application rules • Access control lists are all about matching • Access control lists are applied in the order that they are written • Once an ACLs parameters are matched the ACLs condition is applied • There is an unseen entry created whenever an ACL is compiled called the explicit deny rule • The explicit deny acts as a catch all at the end of the ACL • ACLs have restrictions regarding editing Written by Bill Reed 03/11/05
Access Control Lists Wild Card Masks The basic rules for WCMs are very simple 0 = must match 1 = I don’t care By comparing the individual bits of our WCM with the addresses of the traffic passing through the interface the WCM tries to match the mask with the address 192.168.0.55 11000000 10101000 00000000 00110110 0.0.0.255 00000000 00000000 00000000 11111111 Written by Bill Reed 03/11/05
Access Control Lists Wild Card Masks Address in packet = 192.168.0.10 11000000 10101000 00000000 00001010 Address in ACL = 192.168.0.55 11000000 10101000 00000000 00110110 Wild card mask = 0.0.0.255 00000000 00000000 00000000 11111111 0 = must match 1 = I don’t care Written by Bill Reed 03/11/05
Access Control Lists Wild Card Masks WCMs can also specify ranges of addresses and individual addresses Range based WCMs are built on contiguous ones in our binary masks 1, 3, 7, 15, 31, 63 are all acceptable values for our range statements in the WCM The basic rules still apply 0 = Must match, 1 = I don’t care Written by Bill Reed 03/11/05
Access Control Lists Wild Card Masks Given a mask of 0.0.0.3 3 = 00000011 Remember 1 means I don’t care Any combination of values in the least significant 2 bits will match the ACL I.e.: 00 / 01 / 10 / 11 This leads to an octet value of anything between 0 & 3 matching the ACL and the condition being applied Written by Bill Reed 03/11/05
Access Control Lists Wild Card Masks 7 = 00000111 values between 0 & 7 will match 15 = 00001111 values between 0 & 15 will match 31 = 00011111 values between 0 & 31 will match What will a WCM of 0.0.0.254 match when applied to an address of 192.168.0.1 ? Written by Bill Reed 03/11/05
Access Control Lists Wild Card Masks Once our ACL is written we only need to apply it to the interface and specify the direction that traffic will be interrogated We use the command ip access-group and the number of the ACL to apply the command to the interface On the end of the ACL command statement we specify the direction with the key word in or out Written by Bill Reed 03/11/05
Access Control Lists Exercise Written by Bill Reed 03/11/05